Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

IPsec VPN with firewall behind a router

You can configure IPsec VPN connections between firewalls behind a router.

In this example, the head office firewall is behind a router and doesn't have a public IP address. You must configure the following at the head office and the branch office:

  1. Firewall prerequisite: Configure IP hosts for the local and remote subnets.
  2. Configure the IPsec VPN connection.
  3. Optional: Edit the automatically created firewall rule to create an independent rule for outbound traffic.
  4. Optional: Create a firewall rule for inbound traffic if you want independent firewall rules.
  5. Allow access to services.
  6. Configure the router settings.
  7. Check connectivity.
  8. Check the logs.

Here's an example network diagram:

Network diagram for NAT traversal.

Configure the head office firewall

Configure the IPsec connection and firewall rules.

Add an IPsec connection

Create and activate an IPsec connection at the head office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select Activate on save.
  4. Select Create firewall rule.
  5. For Connection type, select Site-to-site.
  6. For Gateway type, select Respond only.

    Here's an example:

    General settings.

  7. For Profile, select Head office (IKEv2).

  8. For Authentication type, select Preshared key.
  9. Enter a key and confirm it.

    Here's an example:

    Encryption settings.

  10. For Listening interface, select the local firewall's WAN port (example: 10.10.10.2).

  11. For Gateway settings, enter the remote firewall's WAN port (example: 203.0.113.10).
  12. For Local subnet, select the IP host you've created for 192.168.2.0.
  13. For Remote subnet, select the IP host you've created for 192.168.3.0.
  14. Click Save.

    Here's an example:

    Gateway settings.

Edit the firewall rule

To configure an independent outbound VPN rule, edit the automatically created firewall rule. Alternatively, check the settings if you already have a firewall rule for VPN traffic.

  1. Go to Rules and policies > Firewall rules.
  2. Click the rule group Automatic VPN rules and click the rule you've created.

    Here's an example:

    Click the firewall rule.

  3. Specify the following settings:

    Option Setting
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices HQ_LAN
    Destination zones VPN
    Destination networks Branch_LAN
    Services Any
  4. Click Save.

    Here's an example:

    Outbound firewall rule.

Add a firewall rule

Create a firewall rule for inbound VPN traffic if you don't have one.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule and select New firewall rule.
  3. Specify the following settings:

    Option Setting
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices Branch_LAN
    Destination zones LAN
    Destination networks HQ_LAN
    Services Any
  4. Click Save.

    Here's an example:

    Inbound firewall rule.

Allow access to services

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.

    Users can ping the firewall's IP address through the VPN to check connectivity.

  4. Click Apply.

Configure your router settings

Do as follows:

  1. Make sure you configure a DNAT rule on the router to allow the VPN traffic.

    1. Set the original destination to the router's WAN interface (example: 203.0.113.1).
    2. Set the translated destination to the local firewall's WAN interface (example: 10.10.10.2).
  2. Allow the following services:

    1. UDP port 500
    2. UDP port 4500
    3. IP protocol 50

Configure the branch office firewall

Configure the IPsec connection and firewall rules.

Add an IPsec connection

Create and activate an IPsec connection at the branch office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select Activate on save.
  4. Select Create firewall rule.
  5. For Connection type, select Site-to-site.
  6. For Gateway type, select Initiate the connection.

    Here's an example:

    General settings.

  7. For Profile, select Branch office (IKEv2).

  8. For Authentication type, select Preshared key.
  9. Enter a key and confirm it.

    Here's an example:

    Encryption settings.

  10. For Listening interface, select the local firewall's WAN port (203.0.113.10).

  11. For Gateway settings, enter the head office router's WAN port (203.0.113.1).
  12. For Local subnet, select the IP host you've created for 192.168.2.0.
  13. For Remote subnet, select the IP host you've created for 192.168.3.0.
  14. Click Save.

    Gateway settings.

Edit the firewall rule

To configure an independent outbound VPN rule, edit the automatically created firewall rule. Alternatively, check the settings if you already have a firewall rule for VPN traffic.

  1. Go to Rules and policies > Firewall rules.
  2. Click the rule group Automatic VPN rules and click the rule you've created.

    Here's an example:

    Click the firewall rule.

  3. Specify the following settings:

    Option Setting
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices Branch_LAN
    Destination zones VPN
    Destination networks HQ_LAN
    Services Any
  4. Click Save.

    Here's an example:

    Outbound firewall rule.

Add a firewall rule

Create a rule for inbound VPN traffic if you don't already have one.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule and select New firewall rule.
  3. Specify the following settings:

    Option Setting
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices HQ_LAN
    Destination zones LAN
    Destination networks Branch_LAN
    Services Any
  4. Click Save.

    Here's an example:

    Outbound firewall rule.

Allow access to services

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.

    Users can ping the firewall's IP address through the VPN to check connectivity.

  4. Click Apply.

Check the connectivity

Check the VPN connectivity between the head office and the branch office.

  • Head office firewall: Ping the branch office subnet. For example, on Windows, type the following command at the command prompt: ping 192.168.3.0
  • Branch office firewall: Ping the head office subnet. For example, on Windows, type the following command at the command prompt: ping 192.168.2.0

Check the logs

The head office firewall's logs show that it's detected a NAT device in front of it.

The branch office firewall's logs show that it's detected a NAT device in front of the head office firewall.

More resources